Microsoft has issued Security Advisory 2718704, in which the company disclosed that it recently became aware of the Flamer/Skywiper threat, which uses certificates derived from the Microsoft Certificate Authority.
The actual certificate in question was used to sign at least one of the attack components associated with the module in the Skywiper framework.
This is how the digital certificate looks like on the module:
The certificate was valid between February 19, 2010 to February 19, 2012, in the Pacific time zone. (Other certificates might have been issued in a similar manner.)
Clearly, the certificate has been valid for the last two years. In an earlier blog, we hinted that this attack might involve digital certificates on some of its components. It is possible that other components also used digital signatures to carry out variations of this attack.
Further investigation of the downloader component shows that it was compiled on December 27, 2010, also Pacific time.
Machine: 014C (i386)
Number of Sections: 0004
TimeDateStamp: 4D1894AE -> Mon Dec 27 07:29:18 2010
A SigCheck from the SysInternals suite shows the following information on the attack component:
Microsoft LSRA PA
Microsoft Enforced Licensing Registration Authority CA
Microsoft Enforced Licensing Intermediate PCA
Microsoft Root Authority
Signing date: 8:54 AM 12/28/2010
File version: n/a
The certificate used to sign this file was originally issued by a Terminal Server Licensing Intermediate Certificate Authority. That means the certificate was supposed to be used only to authenticate users connecting to the Terminal Server but, due to a mistake in the CA configuration, it could be used to sign code, too.
Microsoft’s revocation of this Intermediate CA does not affect the trustworthiness of any other certificate issued by Microsoft itself. Only certificates issued to users of Terminal Server would need to have their certificates reissued by their system admins.
To pull off this attack, the worm module creates a server called MSHOME-F3BE293C on the infected machine, and intercepts Windows update requests from nearby machines if the network settings allow a Windows update “proxy” using the Web Proxy Auto-Discovery Protocol. The server supplies a signed executable within CAB packages for Windows Update on the local network. (Such redirection attack opportunities have been discussed publicly, many times.) This step facilitates the infection of the local network, with a very silent, “below the radar” distribution mechanism.
An updated map of Skywiper infections based on our current information looks like this:
The targeted attacks of this threat are limited to a few individuals, organizations, and institutions, with the largest infection numbers reported from Iran.
Leave a reply